Filtering PIM Neighbors

Problem

You want to prevent your router from accepting PIM packets from another device.

Solution

In this example, we will configure a neighbor filter on Router1's FastEthernet interface, which it uses to connect to a foreign router called Router2:

Router1#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#ip multicast-routing
Router1(config)#interface FastEthernet0/0
Router1(config-if)#ip address 192.168.1.1 255.255.255.0
Router1(config-if)#ip pim sparse-mode
Router1(config-if)#ip pim neighbor-filter 18
Router1(config-if)#exit
Router1(config)#access-list 18 deny any
Router1(config)#end
Router1#

Then, on the foreign router, we must configure an igmp helper-address:

Router2#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#ip multicast-routing
Router2(config)#interface FastEthernet0/0
Router2(config-if)#ip address 192.168.1.2 255.255.255.0
Router2(config-if)#ip pim dense-mode
Router2(config-if)#ip igmp helper-address 192.168.1.1
Router2(config-if)#end
Router2#

 

Discussion

There are two main reasons for configuring a PIM neighbor filter. The first and most obvious reason is security. If you don't control all of the routers on a network segment, but you want to maintain administrative control over your multicast routing trees, you might want to prevent the foreign devices from taking part in PIM. In particular, since PIM elects a Designated Router (DR) to handle multicast forwarding for each network segment, you can use neighbor filtering to ensure that you control the DR. Furthermore, preventing foreign routers from joining your PIM domain also prevents these routers from discovering and using your RPs, and it also prevents those foreign routers from advertising their own RPs into your domain.

The second reason for using this feature is to create the multicast equivalent of "stub routing." In stub routing, the foreign routers are still able to take part in the forwarding of multicast packets, but they must do so by exchanging IGMP Join and Leave packets with your routers.

Multicast stub routing conserves resources by allowing routers to keep track of fewer PIM neighbors. And because the stub region uses PIM-DM, it conserves resources on your RPs.

There are two parts to the configuration. On our edge router, you configure the neighbor-filter command by using an access-list:

Router1(config)#interface FastEthernet0/0
Router1(config-if)#ip pim sparse-mode
Router1(config-if)#ip pim neighbor-filter 18
Router1(config-if)#exit
Router1(config)#access-list 18 deny any

If there are some routers on this segment that you do want to include in your PIM domain, you can simply define a more precise access-list, such as:

Router1(config)#access-list 18 deny 192.168.1.2
Router1(config)#access-list 18 permit any

In this example, we allow any PIM neighbors except for Router2. You could similarly construct a more complicated filter to have a more complicated mixture of allowed and denied neighbors.

The second part of the configuration is the igmp-helper configuration on the foreign router:

Router2(config-if)#ip igmp helper-address 192.168.1.1

This command is important, as it ensures that Router2 will forward all of the appropriate IGMP Join and Leave messages to the internal PIM router. Without this command, Router2 doesn't know that there is an adjoining multicast network that might be able to service these IGMP requests.

Finally, we would like to point out that the stub domain, Router2 in our example, runs PIM-DM. This is necessary because this router doesn't have access to the usual PIM-SM mechanisms for joining a multicast tree. Instead, it must rely on the simpler PIM-DM flood and prune mechanism. Router1, on the other hand, can run PIM-SM, PIM-DM, or even Bidirectional PIM, as required.






Cisco IOS Cookbook
Cisco IOS Cookbook (Cookbooks (OReilly))
ISBN: 0596527225
EAN: 2147483647
Year: 2004
Pages: 505
Simiral book on Amazon

Flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net